Quite many people have asked me to explain how does one encrypt the control channel so local people cant sniff the passwords etc.
SSH-pipes are solution for this, and gftpd fully supports bouncers through ssh-pipes.
Here is a step-by-step instructions how
to do it correctly:
Gftpd knows that string localhost is 127.0.0.1, as when ssh-pipe comes out it seems that connection is coming from localhost ie. you must enter 'localhost' as bounce_host.
SITEBOX:~ # grep bounce /etc/gftpd.sysconfig
be opened from the bncbox to the sitebox(make sure that
BNCBOX:~ # ssh -L2222:188.8.131.52:4444 184.108.40.206
BNCBOX:~ # cat bouncer.conf
To summarise, now BNCBOX listens for incoming connetions to port 8888 (so for users you give 220.127.116.11:8888 as the login info), when connection comes it forwards it to localhost (BNCBOX) port 2222. And that one is going encrypted with the ssh-pipe to the destination (SITEBOX) host, and comes out to port 4444 (which is the port that gftpd is listening). With securebounce 1 the bouncer first asks the daemon whether or not the ident@host is allowed, and if it is allowed, then it gives the login prompt back to the user, otherwise it doesnt answer anything.